Documentation: Document PowerPC kernel DEXCR interface
Describe the DEXCR and document how to configure it. Signed-off-by: Benjamin Gray <bgray@linux.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://msgid.link/20230616034846.311705-9-bgray@linux.ibm.com
This commit is contained in:
parent
97228ca375
commit
65d6c884bf
58
Documentation/powerpc/dexcr.rst
Normal file
58
Documentation/powerpc/dexcr.rst
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
.. SPDX-License-Identifier: GPL-2.0-or-later
|
||||||
|
|
||||||
|
==========================================
|
||||||
|
DEXCR (Dynamic Execution Control Register)
|
||||||
|
==========================================
|
||||||
|
|
||||||
|
Overview
|
||||||
|
========
|
||||||
|
|
||||||
|
The DEXCR is a privileged special purpose register (SPR) introduced in
|
||||||
|
PowerPC ISA 3.1B (Power10) that allows per-cpu control over several dynamic
|
||||||
|
execution behaviours. These behaviours include speculation (e.g., indirect
|
||||||
|
branch target prediction) and enabling return-oriented programming (ROP)
|
||||||
|
protection instructions.
|
||||||
|
|
||||||
|
The execution control is exposed in hardware as up to 32 bits ('aspects') in
|
||||||
|
the DEXCR. Each aspect controls a certain behaviour, and can be set or cleared
|
||||||
|
to enable/disable the aspect. There are several variants of the DEXCR for
|
||||||
|
different purposes:
|
||||||
|
|
||||||
|
DEXCR
|
||||||
|
A privileged SPR that can control aspects for userspace and kernel space
|
||||||
|
HDEXCR
|
||||||
|
A hypervisor-privileged SPR that can control aspects for the hypervisor and
|
||||||
|
enforce aspects for the kernel and userspace.
|
||||||
|
UDEXCR
|
||||||
|
An optional ultravisor-privileged SPR that can control aspects for the ultravisor.
|
||||||
|
|
||||||
|
Userspace can examine the current DEXCR state using a dedicated SPR that
|
||||||
|
provides a non-privileged read-only view of the userspace DEXCR aspects.
|
||||||
|
There is also an SPR that provides a read-only view of the hypervisor enforced
|
||||||
|
aspects, which ORed with the userspace DEXCR view gives the effective DEXCR
|
||||||
|
state for a process.
|
||||||
|
|
||||||
|
|
||||||
|
Configuration
|
||||||
|
=============
|
||||||
|
|
||||||
|
The DEXCR is currently unconfigurable. All threads are run with the
|
||||||
|
NPHIE aspect enabled.
|
||||||
|
|
||||||
|
|
||||||
|
coredump and ptrace
|
||||||
|
===================
|
||||||
|
|
||||||
|
The userspace values of the DEXCR and HDEXCR (in this order) are exposed under
|
||||||
|
``NT_PPC_DEXCR``. These are each 64 bits and readonly, and are intended to
|
||||||
|
assist with core dumps. The DEXCR may be made writable in future. The top 32
|
||||||
|
bits of both registers (corresponding to the non-userspace bits) are masked off.
|
||||||
|
|
||||||
|
If the kernel config ``CONFIG_CHECKPOINT_RESTORE`` is enabled, then
|
||||||
|
``NT_PPC_HASHKEYR`` is available and exposes the HASHKEYR value of the process
|
||||||
|
for reading and writing. This is a tradeoff between increased security and
|
||||||
|
checkpoint/restore support: a process should normally have no need to know its
|
||||||
|
secret key, but restoring a process requires setting its original key. The key
|
||||||
|
therefore appears in core dumps, and an attacker may be able to retrieve it from
|
||||||
|
a coredump and effectively bypass ROP protection on any threads that share this
|
||||||
|
key (potentially all threads from the same parent that have not run ``exec()``).
|
@ -15,6 +15,7 @@ powerpc
|
|||||||
cxl
|
cxl
|
||||||
cxlflash
|
cxlflash
|
||||||
dawr-power9
|
dawr-power9
|
||||||
|
dexcr
|
||||||
dscr
|
dscr
|
||||||
eeh-pci-error-recovery
|
eeh-pci-error-recovery
|
||||||
elf_hwcaps
|
elf_hwcaps
|
||||||
|
Loading…
Reference in New Issue
Block a user